containers – Qualys Bloghttps://blog.qualys.com
Expert network security guidance and newsWed, 20 Mar 2019 17:38:37 +0000en-UShourly1https://wordpress.org/?v=4.9.10https://blog.qualys.com/wp-content/uploads/2017/07/cropped-qualys-150x150.pngcontainers – Qualys Bloghttps://blog.qualys.com
3232RunC Container Breakout Vulnerabilityhttps://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability
https://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability#commentsTue, 12 Feb 2019 15:46:10 +0000https://blog.qualys.com/?p=25277Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious code breaking out of a container can compromise the entire host, and hence all the applications running on the host and potentially in the cluster.

That fear of container isolation failing to hold up turned out to be true yesterday when a vulnerability in runC was announced. runC is the key and most popular software component that most container engines rely on for spinning up containers on a host. The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack (technical details of the vulnerability and the exploit are at https://seclists.org/oss-sec/2019/q1/119) and compromise the entire host. The vulnerability is particularly nasty because it is not covered by the default AppArmor or SELinux kernel-enforced sandboxing policies.

What can you do to protect your containerized applications?

Even though the exploit is tricky to execute, the exploit code will be released publicly on February 18, so it’s best to protect your container environment by doing the following:

Know which nodes (Docker hosts) you are running the containers, and if you are running a vulnerable version of Docker Engine. If you are a Qualys customer, you can use AssetView to get that information. Docker has released the patch in version 18.09.2.

What to do in the future?

It’s good to be concerned about any new technology while it matures, but it’s equally important to harden the application build and deployment workflows in order to prevent the attacker from getting an easy lead into exploiting the deployed containers.

Ensure that only those container images that have gone through the defined compliance checks (related to vulnerabilities, packages, etc.) are deployed in production. As an example, you can use the Qualys Container Security solution to promote only those built images that pass the compliance checks on the build nodes.

Privileged containers, if compromised, can bring down the entire container cluster. Hence, keep a close watch on all privileged containers running in your environment.

(Asif Awan is CTO for Container Security at Qualys)

]]>https://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability/feed2Container Security Becomes a Priority for Enterpriseshttps://blog.qualys.com/news/2019/01/09/container-security-becomes-a-priority-for-enterprises
https://blog.qualys.com/news/2019/01/09/container-security-becomes-a-priority-for-enterprises#respondWed, 09 Jan 2019 17:00:14 +0000https://blog.qualys.com/?p=25196Among the IT innovations that businesses are using to digitally transform operations, containers might be the most disruptive and revolutionary.

DevOps teams have embraced containers because they boost speed and flexibility in app development and delivery, and are ideal for microservices. In fact, by 2020 more than 50% of organizations will run containerized applications in production, up from under 20% in 2017, according to Gartner. Thus, security teams must prioritize protecting the applications that DevOps teams create with this OS virtualization method.

“We see container security as a significant new paradigm coming at us, which will bring a lot of change,” Qualys CEO Philippe Courtot said.

“Security automation is a simple term but to get a handle over that entire automated and ever-accelerating CI/CD (continuous integration and delivery) pipeline is becoming more and more difficult,” Awan said.

Responding to this need, Qualys offers a comprehensive security solution that monitors and protects containerized applications from the inside. In order to do that, Qualys technology collects granular behavior data about the application, providing deep visibility and enforcing normal application behavior for runtime protection.

Read on to learn about Qualys’ container security approach.

The allure of containers

“Everybody loves containers,” Awan said.

Because they package an application and its dependencies without a guest OS, containers offer advantages over VMs. Applications can be developed more quickly, are more lightweight and portable, and can be spun up and down faster.

They also run consistently regardless of the underlying computing infrastructure, making them highly portable. In addition, because they’re much slimmer, many more containers than VMs can be packed into a host, saving computing resource costs.

Securing containers

Container security challenges are primarily related to a lack of visibility, monitoring capabilities and control over their deployments. For example, container developers often use un-validated, buggy software components from public repositories, and deploy containers with weak configurations, resulting in applications that are highly vulnerable to hacker exploits.

Containers also communicate with each other via exposed network ports, bypassing host controls, and they’re hard to track because they’re so ephemeral, making them difficult to monitor. Furthermore, organizations have delegated even more container tasks to providers of increasingly popular container-as-a-service (CaaS) and orchestration-as-a-service offerings.

The Qualys approach

“Qualys provides a comprehensive solution for visibility and control for the entire lifecycle of containerized apps,” Awan said.

The Qualys container security solution gives security teams continuous discovery, tracking, and protection of containers in DevOps pipelines and deployments at any scale.

Awan explained that the traditional application security approach has been to either install an agent on the host, or monitor network traffic. Qualys believes the best way to protect a containerized application is from inside. “We layer in visibility and security in each application,” he said.

Qualys does this by replicating container images and embedding its security logic in them. That way, customers get very specific data about the application. “Anything that an app does, all of those activities, are captured and we automatically create a behavior profile,” he said.

That profile gets converted into detailed security policies which are enforced at the individual container level. That way, security teams can detect containers that drift from their normal behavior.

Qualys’ policy-based orchestration also stops vulnerable container images from being spun-up in Kubernetes clusters. In this way, Qualys’ solution enables teams to zero-in on host-level or container-level vulnerability and patch compliance.

The result: Deep visibility and runtime application protection for containerized and serverless “container as a service” workloads like AWS Fargate and Azure Container Instances. This is the right way to monitor and secure applications because the infrastructure stack changes constantly and is managed through offerings like AWS Fargate/Lambda and Azure Container Instances/Cloud Functions.

This approach is also inherently more secure than those based on privileged and elevated system capabilities, which give the privileged security containers access and control over all other containers, according to Awan. As was seen with the recently patched Kubernetes flaw (CVE-2018-1002105), it’s likely that similar vulnerabilities and threats will emerge, because adding root privileges to the layer that’s exposed to the external, hostile environment makes that layer a target for malicious activity.

By embedding visibility and security within the container itself, Qualys can monitor and control all container network, storage, and application calls from within each container. It also retains the portability and agility of containers by automatically moving and scaling with them.

In short, with Qualys’ solution, organizations can protect all phases of container deployment — the build, ship, and runtime stages, he said.

Build

In this phase, the main goal is keeping unsafe, vulnerable images out of your container repository. DevSecOps teams can perform vulnerability analysis right from their CI/CD tools after they’ve been integrated via REST APIs or via custom plug-ins with Qualys. Developers get automatically notified if the image fails, and can access detailed, actionable vulnerability information for fixing the issue.

Qualys also provides visibility into container images’ software composition, to know, for example, if open source packages are used, and how these packages licensed, Awan said.

Ship

In this phase, organizations should monitor for vulnerabilities and misconfigurations of the images already in their registries. Qualys inventories and scans images in on-premises registries and cloud-based registries.

Organizations can also schedule automated daily scans to detect newly-disclosed vulnerabilities and to check the new images being added to the repositories. That way, organizations can make sure they are enforcing compliance with internal and external standards and policies.

Runtime

When containers are deployed in production, it’s critical to have visibility and continuous monitoring of runtime environments, and to respond to breaches. With Qualys, organizations can detect vulnerable containers, identify where they are, and assess their potential impact based on how widespread they are in the environment.

Qualys also lets security teams validate images against security policies, and block unapproved images from being spun up as containers through integration with orchestrators to enforce compliance.

And finally, Qualys provides deep application-level visibility into all the container activites and enforces the normal behavior at an individual container level for application protection.

For more information about Qualys’ container security solution, please watch the video of Awan’s QSC talk, which includes more details, and a live demo.

]]>https://blog.qualys.com/news/2019/01/09/container-security-becomes-a-priority-for-enterprises/feed0Infosec Teams Race To Secure DevOpshttps://blog.qualys.com/news/2018/11/28/infosec-teams-race-to-secure-devops
https://blog.qualys.com/news/2018/11/28/infosec-teams-race-to-secure-devops#respondWed, 28 Nov 2018 17:00:37 +0000https://blog.qualys.com/?p=25139With DevOps adoption spreading, infosec teams are scrambling to address the new security challenges stemming from DevOps’ accelerated code development and app deployment. But while IT organizations have made notable progress adapting security to their DevOps processes, work remains to be done.

That’s a key finding from SANS Institute’s “Secure DevOps: Fact or Fiction” report, which was discussed recently in a two-day webcast (Part 1 & Part 2) co-sponsored by Qualys. A revealing statistic: Under 50% of respondent organizations have fully “shifted left” to embed security throughout their DevOps pipelines, a figure that should be higher.

“Security is still being built in at the end, whereas risk reduction should start earlier in the software development lifecycle,” said Barbara Filkins, a SANS analyst. With security in the early stages of application design, “we can eliminate many issues that we’d see at the back end,” she said.

Threading security throughout DevOps also preserves the benefits of continuous and quick software delivery, like improved customer support and employee productivity.

“As a DevOps engineer, you’re looking to automate security at the speed of what business needs,” said Qualys Product Management Director Hari Srinivasan.

“The goal is enabling a transition from DevOps to secure DevOps that is factual, not fiction,” Filkins said.

Read on to learn about DevSecOps challenges, best practices and case studies.

Real world DevSecOps

Srinivasan described how several Qualys customers have successfully implemented DevSecOps by automating and integrating security and compliance checks.

At a large U.S. bank, in order to certify the security of its Amazon Machine Images (AMIs), the DevOps and security teams emailed scan reports and fix requests in a back-and-forth loop.

“It took about two weeks for each AMI to get certified,” Srinivasan said. With Qualys’ help, the bank revamped and automated the process.

The DevOps team was given API access to the security team’s Qualys vulnerability management and policy compliance products. This allowed developers to run scans themselves, get reports, remediate and re-scan as needed, without involving the security team. This shortened the process to under 24 hours.

The bank also seeds the Qualys Cloud Agent on every AMI deployed to production, so it’s alerted immediately about newly-discovered security and compliance issues on live instances. The agent has boosted accuracy of detection of vulnerabilities and mis-configurations, slashing false positives, and quickening scan data availability.

“This is an example of how security can be transparently embedded within DevOps processes,” he said.

The integration allows ACS to detect Azure VMs and deploy lightweight Qualys Cloud Agents in bulk to them. The agents gather vulnerability data and send it to the Qualys Cloud Platform, which in turn, provides vulnerability and system health monitoring data back to the ACS administrator.

“This shows how a vendor can transparently orchestrate security into the cloud provider space, removing the friction and overhead the IT ops team would have rolling out security tools,” Srinivasan said.

Srinivasan also highlighted:

How Qualys’ Web Application Scanning (WAS) product can be integrated via API with the popular Jenkins CI/CD tool so that DevOps teams can run security checks on applications at the staging, test/QA and development environments.

Infosec faces old and new challenges

A clear picture emerges from SANS’ survey of almost 300 organizations: Security teams are striving to keep up with DevOps teams’ constant use of emerging technologies, while also protecting legacy software.

In practice, this means infosec teams are learning how to secure serverless apps, containers, IoT systems and cloud workloads, as they also defend mature web, mobile and off-the-shelf apps.

“Legacy apps remain a priority but does it divert the attention from the new platforms and risks that are rapidly becoming mainstream?” Filkins said.

(Source: Secure DevOps: Fact or Fiction? SANS Institute)

Thus, infosec teams must strike the right balance, so that they don’t fall behind with either set of apps. That’s easier said than done, of course.

“Almost everyone we surveyed is dealing with serious technical and security debt issues with their legacy systems,” said SANS analyst Jim Bird.

DevOps: Full speed ahead

Meanwhile, DevOps teams aren’t slowing down. Their frequency of system changes deployed to production apps increased notably from last year.

“Security teams must keep up — or get left behind,” Filkins said.

They’re trying. Respondents testing business-critical apps twice or more per month rose from 13% to 24% this year. Organizations testing daily and continuously almost doubled.

Unfortunately, the percentage of vulnerabilities repaired promptly and satisfactorily increased only marginally. “Time to patch shows no improvement, or at least not enough,” Filkins said.

The reason may be surprising. “It’s not because they can’t,” Bird said. Management either doesn’t allow or doesn’t encourage them to.

Organizational issues affect DevSecOps success in general, taking the form of skills and personnel shortages, inadequate budgets, and communication silos.

Best practices

Also fundamental: “Shifting left,” so that security is integrated and automated throughout the software development and delivery cycle.

However, the survey reveals that more than half of respondents aren’t meshing security until the development stage or later ones, like QA and implementation.

“That’s a little too late to start thinking about security because it becomes a bolt-on, instead of a holistic approach in the application design,” Filkins said.

In fact, when respondents were asked about DevSecOps success factors, the top one was the integration of automated security testing into build / delivery tools and workflows.

Other DevSecOps success tips from SANS include:

Making security transparent and adding it into engineering backlogs

Addressing organizational issues

Making engineers responsible for building secure code, and providing them with the necessary training and tools

Creating security champions throughout the organization

Improving communication and collaboration between DevSecOps and management, and building cross-functional teams

Measuring improvement

Once organizations have a DevSecOps program, they should evaluate its effectiveness. SANS recommends tracking metrics like:

Time to fix vulnerabilities

Security issues discovered post-deployment

Builds delayed due to security issues

Human hours spent resolving security issues

The common denominator here — and ultimate goal — is speed of delivery.

“As the velocity of delivery increases, the security program has to enable velocity, not slow it down,” Bird said.

We invite you to view the webcasts and download the report, where you’ll find many more details about DevSecOps challenges and best practices.

]]>https://blog.qualys.com/news/2018/11/28/infosec-teams-race-to-secure-devops/feed0QSC18: The Need for Security Visibility in the Age of Digital Transformationhttps://blog.qualys.com/news/2018/11/15/qsc18-the-need-for-security-visibility-in-the-age-of-digital-transformation
https://blog.qualys.com/news/2018/11/15/qsc18-the-need-for-security-visibility-in-the-age-of-digital-transformation#respondThu, 15 Nov 2018 16:00:54 +0000https://blog.qualys.com/?p=25101Enterprises are moving full steam ahead when it comes to their digital transformation efforts. They’ve aggressively adopted cloud infrastructure and other cloud services, IoT, application containers, serverless functionality, and other technologies that are helping their organization to drive forward.

Those organizations that are way down the road in their digital transformation efforts say that they’ve witnessed improved business decision-making – both when it comes to making better decisions and when it comes to making those decisions more rapidly. They also say that they’ve improved their customer relationships by delivering an improved customer digital experience.

So it’s time to celebrate and declare digital victory, right?

Hold off before we book the band and order the champagne for the big party. In fact, those who want to move forward securely and confidently in their risk and regulatory compliance postures have some challenges ahead.

In their respective keynotes this morning, at Qualys Security Conference 2018, both Qualys chairman and CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar clearly explained the challenges ahead – and how to meet these challenges.

After watching both keynotes, I’m more confident that the security and visibility challenges posed by digital transformation can be met. But it’s also clear that to succeed, organizations will need diligence, a comprehensive strategy, and the right technologies.

Security professionals who have been around awhile are not new to the race between the need for the business to move fast and the need to move quickly securely. As Courtot discussed in his keynote, the technology industry (and enterprises) have long rushed forward with technology only to try later to find a way to secure it after it has been deployed.

In the late 1990s and early 2000s, it was about trying to layer security on top of endpoints, networks, and web applications with anti-malware software, intrusion detection systems, network, and web application firewalls, the encrypting of network traffic, and so on. Every new deployment required new security defenses.

Of course, the outcome from that approach was less than optimal. As Thakar pointed out in his keynote, with the rise of mobile, cloud computing, containerization, DevOps and continuous development – the speed of application and infrastructure deployment has created a level of complexity where security truly needs to be more tightly integrated into environments, and it needs to be continuously so.

After all, it’s never been easier than it is today to take a new software application, feature, or other enhancement from concept to deployment. And it’s also never been easier to deploy new technologies, new devices, and for users to access sensitive data from anywhere. While all of this has helped organizations with their digital transformation efforts, it’s caused many a CISO a sleepless night.

After all, speed and complexity are not natural allies of enterprise security.

Just consider the lack of visibility most CIOs and CISOs have into their mobile devices, virtualized systems, application containers, databases, serverless functions, cloud and on-premises storage systems, networks, cloud application services. So much technology is being deployed, so quickly, that there has been a significant loss of visibility into these systems.

As Courtot said during his keynote, organizations can’t secure what they can’t see. In today’s environments, there is a lot CISOs can’t see.

Thakar outlined a way forward. As he detailed in his keynote, enterprises need to be able to access the state of their environments and devices continuously, so that they can persistently see the security status of these assets and make swift adjustments that will reduce risk and maintain compliance to security and regulatory policies.

What does that mean, practically, for security professionals?

It means security professionals need to be able to see and catalog every asset in their environment, and they need accurate insight into the security status of their software devices. Such a capability would enable security teams to mitigate pressing risks quickly.

Such risks could include a new vulnerability disclosure in an open source library that is used in various places in the organization. This is an area many organizations don’t have good visibility into today. It could mean blacklisting known devices that place the enterprise at an unacceptable level of risk. And it could also mean ensuring containers run with the right security policies in place.

To do this, Thakar detailed how cloud agents, active scanning and passive scanning could be used to continuously collect asset data in real time so that organizations can persistently classify hardware, software and other attributes.

That continuous asset insight means enterprises can effectively deal with blacklisted devices or out-of-date systems and applications. This includes more than effective vulnerability management, but also the ability to stay continuously compliant to policy or common security frameworks. It also means CISOs can readily eliminate unnecessary systems and software that aren’t providing the organization value but could be increasing its attack surface.

All of this is crucial in the age of digital transformation, and those enterprises that do have the ability to manage their business-technology assets continuously will also not only be more secure but also nimbler and be better able to adjust as their business conditions demand. And if there’s anything sure about the years ahead, it will be that enterprises will need to move forward with more agility and to do so securely.